Tool Evaluation DPA (GDPR) & BAA (HIPAA)

Parties & Roles. The Submitting Party (the organization or individual evaluating the service) (“Evaluator”) acts as Controller under GDPR and/or Covered Entity/Business Associate under HIPAA, as applicable.

Collective Minds Radiology AB, a company limited by shares incorporated in Sweden under company registration number 559120-7187 (“CMRAD”), address Svärdvägen 5, 182 33, Danderyd, Sweden, acts as Processor (GDPR) and/or Business Associate (HIPAA) solely for the Processing Job defined below.

Purpose & Instructions. Evaluator instructs CMRAD to process Evaluator-submitted DICOM images and related files only to anonymize/de-identify, preview, and export results back to Evaluator (the “Services”). No other purpose; no model training, analytics, or marketing use.

Job-Scoped Term & Deletion. This Agreement starts when files are submitted and ends when CMRAD deletes them after the job, which occurs no later than 60 minutes after job completion (or earlier on Evaluator command). CMRAD automatically deletes uploads and outputs within this window and does not include them in persistent content backups. Deletion confirmation (job ID, timestamps) is available on request.

Evaluator Authority. Evaluator represents and warrants they (i) have lawful basis/authorization to provide and instruct processing (GDPR Arts. 6 and, where applicable, 9; HIPAA permitted uses/disclosures), (ii) have provided required notices/consents, and (iii) will not upload third-party patient data unless duly authorized by the relevant Controller/Covered Entity.

Data & Subjects. Medical images (DICOM) and associated identifiers; data subjects primarily patients (and may include clinicians/technicians). Data may include special category data (GDPR) and/or PHI (HIPAA).

Security. CMRAD maintains appropriate technical and organizational measures, including encryption in transit/at rest, least-privilege access controls, monitoring, segregation, and secure deletion consistent with the ≤60-minute window. See Annex A (Security Summary).

Subprocessors. Evaluator authorizes CMRAD to use infrastructure/operational subprocessors under written terms no less protective than this Agreement. Current list in Annex B. If Evaluator objects, please do not submit files.

International Transfers. Processing and storage occur solely within the EU/EEA at AWS Frankfurt (eu-central-1). CMRAD does not intentionally transfer uploaded content or outputs outside the EEA/UK, and configures operational telemetry for the Services to remain region-bound where available. If an exceptional transfer becomes strictly necessary (e.g., due to a legal requirement or urgent security incident), CMRAD will apply appropriate safeguards (including EU SCCs Module 2 and, where relevant, the UK Addendum/IDTA), limit scope to the minimum necessary, and notify Evaluator where legally permitted.

Assistance & Audit. Given ephemeral processing, CMRAD will reasonably assist with security/breach notifications, DPIAs, and data-subject requests to the extent feasible. Audit rights may be satisfied by current independent reports/certifications and security documentation; reasonable cost reimbursement may apply.

Incident/Breach Notice. CMRAD will notify Evaluator without undue delay and no later than 48 hours after confirming a personal data breach (GDPR). For HIPAA, CMRAD will report without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI, with available details and cooperation.

HIPAA-Specific (BAA). CMRAD (as Business Associate) may use/disclose PHI only to perform the Services and as required by law; will implement Security Rule safeguards; ensure subcontractors agree in writing to equivalent protections (including AWS under CMRAD’s BAA with AWS, limited to HIPAA-eligible services); make records available to HHS upon request; and destroy PHI at job end as above (or, if infeasible, extend protections and restrict further use/disclosure as required by law).

No Commercial Commitment. This Agreement does not create a purchase, subscription, SLA, or support obligation. It governs only the job-scoped processing for evaluation.

Precedence & Law. This Agreement supplements the site Terms; for conflicts on data protection/PHI handling, this Agreement controls. GDPR matters: governed by Swedish law. HIPAA matters: governed by U.S. federal law.

Acceptance. By submitting files and using this demo, Evaluator accepts this Agreement.

Annex A — Security Summary (EU hosting)

• Hosting/Infra: AWS eu-central-1 (Frankfurt) (EEA).
• Encryption: TLS 1.2+ in transit; AES-256 at rest; keys via AWS KMS with role-based access and rotation.
• Access Controls: Least privilege, MFA, logging/alerting; production access restricted to authorized personnel.
• Segregation: Logical tenant segregation; network segmentation and security groups.
• Deletion: Content and derived outputs deleted ≤60 minutes after job completion (or earlier on Evaluator command). No persistent content backups.
• Monitoring/IR: Centralized logging, vulnerability management, and incident response with notifications per this Agreement.

Annex B — Sub processors

1. Amazon Web Services, Inc. (AWS) — Infrastructure hosting, storage, and compute (e.g., EC2, EKS, S3, CloudWatch, KMS as applicable).
   1. Role: Infrastructure subprocessor (and HIPAA subcontractor when PHI is processed).
   2. Location: eu-central-1 (Frankfurt) (EEA).
   3. Safeguards: Contractual DPA/SCCs as applicable; CMRAD maintains a BAA with AWS; use limited to HIPAA-eligible services.